HIPAA Deadline Boosts Healthcare Data Practices - EnterpriseStorageForum.com

HIPAA Deadline Boosts Healthcare Data Practices

In the second part of our series on compliance and storage issues, we look at the effect that a looming rule mandating electronic records security is having on healthcare providers.

Healthcare organizations face a tough challenge under HIPAA, the Health Insurance Portability and Accountability Act: they must secure data, regulate its access, and retain it for periods sometimes measured in decades.

That can be tough enough if you're dealing with centralized data in a SAN , but when you consider that hospitals often begin the compliance process with a mix of paper records and direct-attached storage (DAS), the confidentiality and security goals of HIPAA look even harder to attain.

HIPAA's Privacy Rule, in effect since 2003 or 2004 depending on the size of the organization, requires confidentiality of patient records on paper and sets retention periods for some kinds of medical information, regardless of media. These retention requirements can stretch from birth to 21 years of age for pediatric records, or beyond the lifetime of the patient for other medical records.

But it is the Security Rule, which goes into effect on April 21 for larger organizations, that most affects IT, because it mandates protection and control of electronic records.

Controlling Access

HIPAA's immediate effect on electronic storage is more about compelling better organization and access control than requiring drastically increased capacity. In the long run, the combination of HIPAA's mandated retention times and the increasing use of digital medical imaging will drive up storage requirements as well.

According to Peter Gerr, senior analyst at Enterprise Strategy Group, for many healthcare organizations, the first step in gaining a handle on their data is simply to move from DAS to networked storage to "establish a foundation on which to consolidate all of their information."

Without centralization and consolidation, says Rob Pegler, vice president of technical solutions at Xiotech, HIPAA compliance is "impossible." Hospitals used to operate with data stores in individual departments, says Pegler. Referring to HIPAA's maximum wrongful disclosure penalty, he adds, "20 years ago this wasn't given a thought. But today with HIPAA, with the quarter-million dollar hammer, they are painfully aware of this. It has forced a change in storage design."

Pegler also sees HIPAA driving a trend away from CD-ROM, DVD and optical media to spinning network storage. Such formats had been popular because of their portability and ease of recording, but their very portability is now a privacy liability. "The good news is that you can hand the DVD from the doctor to another doctor," Pegler says. "The bad news is they get lost. Under HIPAA, this is a violation." Digital information stored on a SAN, in contrast, can be audited and guarded by access controls.

The privacy knock can also be applied to the portability of film, and in that way, HIPAA may be helping to accelerate the move from film to digital PACS (picture archival and communications systems). And PACS is clearly a driver of capacity growth. Mike Marchi, senior director of compliance and ILM solutions at Network Appliance, says that most of NetApp's healthcare compliance implementations "have been tied to PACS and X-ray images," where customers want to keep the information online to improve care, "and they're locking them down at the same time."

While hospitals often stored some components of medical records for long periods, HIPAA may require more complete coverage. Also, HIPAA has varying retention times based on the type of information, so classification becomes increasingly important. Says Gerr, "Before HIPAA, many hospitals would simply purge records from radiology, the PACS system, after a year or two years." Now, common practice is to retain this data for the life of the patient.

E-mail is also covered by HIPAA wherever confidential patient information might be transmitted. Francis Lambert, product partnerships consultant for Zantaz, sees "an emerging need for auto-classification of e-mails, to know whether or not they need to be retained for compliance." Though the lines are not clear here on what constitutes protected health information, Lambert says, "we think it's prudent for healthcare practitioners to store any email discussing a patient's condition."

It's certainly prudent to protect that information, agrees Gerr, who says that he expects most companies covered by HIPAA to implement e-mail encryption.

Page 2: A Look At Two Healthcare Providers

Page 1 of 2

1 2
Next Page

Comment and Contribute


(Maximum characters: 1200). You have characters left.



Storage Daily
Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date